diff options
Diffstat (limited to 'nixos/modules/services/security')
-rw-r--r-- | nixos/modules/services/security/nginx-sso.nix | 58 | ||||
-rw-r--r-- | nixos/modules/services/security/sks.nix | 28 | ||||
-rw-r--r-- | nixos/modules/services/security/sshguard.nix | 99 |
3 files changed, 136 insertions, 49 deletions
diff --git a/nixos/modules/services/security/nginx-sso.nix b/nixos/modules/services/security/nginx-sso.nix new file mode 100644 index 000000000000..d792f90abe64 --- /dev/null +++ b/nixos/modules/services/security/nginx-sso.nix @@ -0,0 +1,58 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.nginx.sso; + pkg = getBin pkgs.nginx-sso; + configYml = pkgs.writeText "nginx-sso.yml" (builtins.toJSON cfg.configuration); +in { + options.services.nginx.sso = { + enable = mkEnableOption "nginx-sso service"; + + configuration = mkOption { + type = types.attrsOf types.unspecified; + default = {}; + example = literalExample '' + { + listen = { addr = "127.0.0.1"; port = 8080; }; + + providers.token.tokens = { + myuser = "MyToken"; + }; + + acl = { + rule_sets = [ + { + rules = [ { field = "x-application"; equals = "MyApp"; } ]; + allow = [ "myuser" ]; + } + ]; + }; + } + ''; + description = '' + nginx-sso configuration + (<link xlink:href="https://github.com/Luzifer/nginx-sso/wiki/Main-Configuration">documentation</link>) + as a Nix attribute set. + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services.nginx-sso = { + description = "Nginx SSO Backend"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = '' + ${pkg}/bin/nginx-sso \ + --config ${configYml} \ + --frontend-dir ${pkg}/share/frontend + ''; + Restart = "always"; + DynamicUser = true; + }; + }; + }; +} diff --git a/nixos/modules/services/security/sks.nix b/nixos/modules/services/security/sks.nix index 9f0261038d5b..8136a5c763a9 100644 --- a/nixos/modules/services/security/sks.nix +++ b/nixos/modules/services/security/sks.nix @@ -5,6 +5,9 @@ with lib; let cfg = config.services.sks; sksPkg = cfg.package; + dbConfig = pkgs.writeText "DB_CONFIG" '' + ${cfg.extraDbConfig} + ''; in { meta.maintainers = with maintainers; [ primeos calbrecht jcumming ]; @@ -39,6 +42,20 @@ in { ''; }; + extraDbConfig = mkOption { + type = types.str; + default = ""; + description = '' + Set contents of the files "KDB/DB_CONFIG" and "PTree/DB_CONFIG" within + the ''${dataDir} directory. This is used to configure options for the + database for the sks key server. + + Documentation of available options are available in the file named + "sampleConfig/DB_CONFIG" in the following repository: + https://bitbucket.org/skskeyserver/sks-keyserver/src + ''; + }; + hkpAddress = mkOption { default = [ "127.0.0.1" "::1" ]; type = types.listOf types.str; @@ -99,6 +116,17 @@ in { ${lib.optionalString (cfg.webroot != null) "ln -sfT \"${cfg.webroot}\" web"} mkdir -p dump + # Check that both database configs are symlinks before overwriting them + if [ -e KDB/DB_CONFIG ] && [ ! -L KBD/DB_CONFIG ]; then + echo "KDB/DB_CONFIG exists but is not a symlink." >&2 + exit 1 + fi + if [ -e PTree/DB_CONFIG ] && [ ! -L PTree/DB_CONFIG ]; then + echo "PTree/DB_CONFIG exists but is not a symlink." >&2 + exit 1 + fi + ln -sf ${dbConfig} KDB/DB_CONFIG + ln -sf ${dbConfig} PTree/DB_CONFIG ${sksPkg}/bin/sks build dump/*.gpg -n 10 -cache 100 || true #*/ ${sksPkg}/bin/sks cleandb || true ${sksPkg}/bin/sks pbuild -cache 20 -ptree_cache 70 || true diff --git a/nixos/modules/services/security/sshguard.nix b/nixos/modules/services/security/sshguard.nix index 137c3d610186..3892cd5c72b8 100644 --- a/nixos/modules/services/security/sshguard.nix +++ b/nixos/modules/services/security/sshguard.nix @@ -4,6 +4,7 @@ with lib; let cfg = config.services.sshguard; + in { ###### interface @@ -77,65 +78,65 @@ in { Systemd services sshguard should receive logs of. ''; }; - }; - }; - ###### implementation config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.sshguard pkgs.iptables pkgs.ipset ]; - environment.etc."sshguard.conf".text = let - list_services = ( name: "-t ${name} "); - in '' - BACKEND="${pkgs.sshguard}/libexec/sshg-fw-ipset" - LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl -afb -p info -n1 ${toString (map list_services cfg.services)} -o cat" + args = lib.concatStringsSep " " ([ + "-afb" + "-p info" + "-o cat" + "-n1" + ] ++ (map (name: "-t ${escapeShellArg name}") cfg.services)); + in '' + BACKEND="${pkgs.sshguard}/libexec/sshg-fw-ipset" + LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl ${args}" + ''; + + systemd.services.sshguard = { + description = "SSHGuard brute-force attacks protection system"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + partOf = optional config.networking.firewall.enable "firewall.service"; + + path = with pkgs; [ iptables ipset iproute systemd ]; + + postStart = '' + ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:ip family inet + ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:ip family inet6 + ${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP + ${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP + ''; + + preStop = '' + ${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP + ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP ''; - systemd.services.sshguard = - { description = "SSHGuard brute-force attacks protection system"; - - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - partOf = optional config.networking.firewall.enable "firewall.service"; - - path = [ pkgs.iptables pkgs.ipset pkgs.iproute pkgs.systemd ]; - - postStart = '' - mkdir -p /var/lib/sshguard - ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:ip family inet - ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:ip family inet6 - ${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP - ${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP - ''; - - preStop = '' - ${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP - ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP - ''; - - unitConfig.Documentation = "man:sshguard(8)"; - - serviceConfig = { - Type = "simple"; - ExecStart = let - list_whitelist = ( name: "-w ${name} "); - in '' - ${pkgs.sshguard}/bin/sshguard -a ${toString cfg.attack_threshold} ${optionalString (cfg.blacklist_threshold != null) "-b ${toString cfg.blacklist_threshold}:${cfg.blacklist_file} "}-i /run/sshguard/sshguard.pid -p ${toString cfg.blocktime} -s ${toString cfg.detection_time} ${toString (map list_whitelist cfg.whitelist)} - ''; - PIDFile = "/run/sshguard/sshguard.pid"; - Restart = "always"; - - ReadOnlyDirectories = "/"; - ReadWriteDirectories = "/run/sshguard /var/lib/sshguard"; - RuntimeDirectory = "sshguard"; - StateDirectory = "sshguard"; - CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW"; - }; + unitConfig.Documentation = "man:sshguard(8)"; + + serviceConfig = { + Type = "simple"; + ExecStart = let + args = lib.concatStringsSep " " ([ + "-a ${toString cfg.attack_threshold}" + "-p ${toString cfg.blocktime}" + "-s ${toString cfg.detection_time}" + (optionalString (cfg.blacklist_threshold != null) "-b ${toString cfg.blacklist_threshold}:${cfg.blacklist_file}") + ] ++ (map (name: "-w ${escapeShellArg name}") cfg.whitelist)); + in "${pkgs.sshguard}/bin/sshguard ${args}"; + Restart = "always"; + ProtectSystem = "strict"; + ProtectHome = "tmpfs"; + RuntimeDirectory = "sshguard"; + StateDirectory = "sshguard"; + CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW"; }; + }; }; } |